866-246-2794

facebook
linkedin
rss
twitter
youtube
google_plus
email

  • Home
  • Services
    • Computer Forensics
      • Remote Forensics
    • Cell Phone Forensics
      • Android™ Forensics
      • Blackberry™ Forensics
      • iPhone™ Forensics
      • Phone Spy Software Detection
    • JTAG & Chip-Off Forensics
      • Chip-Off Forensics
      • JTAG Forensics
    • Digital Investigations
      • Corporate Investigations
        • Insider Threat Detection
        • Computer Harassment
      • Private Investigations
        • Is My Spouse Cheating?
        • Social Media Abuse
        • Online Tracking
    • eDiscovery
  • About Us
    • Our Staff
      • Jim Swauger, LPI, CFCE, ENCE, DFCP, CISSP
      • Jim Hawke, LPI, CFCE, ENCE, CEECS
    • Certifications & Affiliations
    • Careers
  • Resources
    • Digital Evidence Guidelines
    • Binary Intelligence Documents
    • FAQ
  • Contact Us
  • Blog



Apple Forensics – iPhone, iPod, and iPad Forensics

March 11, 2013
by admin
Apple forensics, apple iphone, cell phone forensics, Corporate investigation, digital forensic, ediscovery, eDiscovery., electronic discovery, forensics, IOS forensics, iphone, iPhone data recovery, iphone forensics, iTunes forensics, mobile forensic, mobile forensics, tablet
0 Comment

There are several ways that we can collect and obtain data from an iPhone or Apple mobile device. The first option is to have physical access to the device. Each model and version of iPhone, iPod, and iPad have different levels of support, but each can be obtained in some forensic fashion. The three levels of support are:

Logical – the collection of active information on the device.
File System – Collection of the device’s file structure and the folders and files within.
Physical – A full forensic image of the memory on the device.
You may look at these three levels of support and automatically want the physical collection, but if you have a newer iPhone like the 4S or the 5 this level of support is not currently available. The main reason is that Apple started using the new A5 chip. The decoding of this chip has not been developed yet.
Don’t worry, it’s not all doom and gloom for those with an iPhone 4S or iPhone 5. As long as the phone is not password protected, we can obtain a file system extraction of the device. iPhones, iPods, and iPads save the user and system data in database files. When obtaining a forensic file system extraction those DB (database) files are collected as well. Thus the ability to obtain deleted and active content from the device is possible with a forensic file system collection. Here is an example of the data that can be recovered from an iPhone.

iPhone Forensic Collection

This is only one example, and I have seen devices provide thousands of deleted and active content. The amount of data you can recover really depends on the user and how they used the device. If they did a factory restore, the data will most likely not be there. A factory restore does not mean we are done at the forensic lab. What do you do when an Apple iPhone, iPod, or iPad has been wiped? We access the computer for iTunes backups of the device. iTunes backup files can hold just as much, and sometimes more, data as the actually device. When a user syncs their phone to the computer and loads up music, movies, or pictures they are usually performing a backup as well. The backup files can be exported from the computer and loaded up into our cell phone forensic tools for analysis. Below is an example of an iTunes backup file opened in our forensic tool.

The collected data from a iTunes back up file via mobile forensic tools
The value of the iTunes backup cannot be ignored. Whether you have a criminal, civil, or personal investigation involving Apple mobile products the device and the iTunes backup can be forensically examined.
Devices like the iPhone or iPad can be great resource for eDiscovery requests. These devices can be connected to an exchange server or a web mail client. Depending on the configuration the emails may reside on both the server end and the user (phone) end. When collecting emails and documents for a eDiscovery situation user devices should not be ignored. They can house emails and documents that are no longer on the server or users computer. As you can see from the screen shot above, this user had 3,943 emails on the device and of those emails 1,199 emails were deleted). These emails could make or break your case. These emails could also cause controversy if you do not collect them when ordered to. If your order is worded collect all email and documents related to the case, every device holding these items should be forensically collected.

About the Author
Ohio based Binary Intelligence, LLC is a professional investigation agency that provides expert services in the areas of computer forensics, cell phone forensics, high-tech investigations, electronic discovery and data recovery.
Social Share
  • google-share

Leave a Reply Cancel reply

*
*

captcha *

Contact Details

866-246-2794

513-282-4005 (F)

Binary Intelligence, LLC
150 Industrial Drive
Franklin, Ohio 45005

Mobile Device Estimate Request

CLICK HERE to complete estimate request form for JTAG, Chip-Off, and other mobile device forensic services

Make A Payment


Name

Case #


Recent Posts

Apple Forensics - iPhone, iPod, and iPad Forensics
Mar 11, 2013
Is your phone hacked or running Spy Software?!
Oct 03, 2012
Chip Off Forensics for almost Any Device
Aug 27, 2012

Recent @BinaryIntel Tweets

  • Twitter feed loading

Start a Remote Connection


Download Remote Agent

Download Remote Agent

Home | Site-Map | Contact Us


Binary Intelligence, LLC is a licensed professional investigative agency [Ohio License #2003005424]
©2012 Binary Intelligence, LLC. All Rights Reserved.